Kelly A. Lenahan-Pfahlert | lenahanpfahlertk@ballardspahr.com |  215.864.7311 | view full bio

Kelly focuses her practice on white collar defense and complex civil litigation.  Kelly has substantial experience in litigating BSA/AML issues on behalf of financial institutions relating to both discovery and liability, assisting with AML-related internal investigations

On May 3, 2024, the Board of Governors of the Federal Reserve System (the “Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”) jointly released the “Third-Party Risk Management: A Guide for Community Banks” (the “Guide”), presenting it as a resource for community banks to bolster their third-party risk management programs, policies, and practices.

The Guide serves as a companion to the Interagency Guidance on Third-Party Relationship: Risk Management issued in June 2023 (on which we blogged, here).  It also relates to the OCC’s Fall 2023 Semiannual Risk Perspective, which emphasizes the need for banks to maintain prudent risk management practices – including practices tailored to address Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships.

The Guide acknowledges the widespread collaborations between community banks and third-party entities, and recognizes the strategic importance for such partnerships to improve competitiveness and adaptability. These collaborations provide community banks with access to a diverse array of resources, such as new technologies, risk management tools, skilled personnel, delivery channels, products, services, and market opportunities.

However, the Guide underscores that reliance on third parties entails a loss of direct operational control, thereby exposing community banks to a spectrum of risks.  Banks are still accountable for executing all activities in compliance with applicable laws and regulations.  “These laws and regulations include . . . those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive, or abusive acts or practices) and those addressing financial crimes (such as fraud and money laundering).”  Accordingly, the Guide emphasizes that the engagement of third parties does not absolve a bank of its responsibility to operate in a safe and sound manner and to comply with regulatory requirements, “just as if the bank were to perform the service or activity itself.”  The Guide sets forth this concept in bold, on the first page. 

The Guide’s emphasis on governance practices highlights the critical role of oversight, accountability, and documentation in ensuring regulatory compliance and safeguarding the interests of both banks and their customers.   Although the Guide styles itself as offering a framework tailored to the specific needs and challenges faced by community banks, it also offers direction to all financial institutions in regards to effective third-party risk management. 

Continue Reading  Federal Banking Agencies Issue Guide to Third-Party Risk Management Practices for Community Banks

It is challenging for law enforcement to track down and trace illicit activities conducted through digital currencies. The process can be very time- and resource-intensive.  Further, securing charges and arrests, and subsequent convictions, often requires the strong support of traditional sources of evidence, such as fact witness testimony and electronic communications.  Nonetheless, blockchain analytics is a key component of the government’s ability to pursue such cases.

On March 12, a jury in the United States District Court for the District of Columbia found Roman Sterlingov guilty on charges of money laundering conspiracy, so-called “sting” money laundering, operating an unlicensed money transmitting business, and violations of the D.C. Money Transmitters Act.  We blogged about the initial criminal complaint issued against Sterlingov here.  Sterlingov allegedly laundered $400 million through Bitcoin Fog, a bitcoin mixing service which can be used to obscure the origins of cryptocurrency transactions. 

Shortly before the trial and guilty verdicts, the Court issued an order addressing the admissibility of expert testimony related to blockchain analysis software under the factors established by the Supreme Court’s decision in Daubert v. Merrell Dow Pharmaceuticals, Inc. to assess the reliability of expert testimony under Federal Rule of Evidence 702.  This blog post focuses on that order.

Specifically, the Court addressed proprietary software used by the private digital asset forensic firm Chainalysis, Chainalysis Reactor (“Reactor”), and whether expert testimony by witnesses propounded by the government – Luke Scholl (“Scholl”) from the FBI, and Elizabeth Bisbee (“Bisbee”) from Chainalysis – could rely upon Reactor under Daubert.  Reactor is a software used to dissect bitcoin transactions, utilizing techniques like co-spend analysis to connect multiple addresses to a single entity. The defense raised significant concerns about the reliability of Reactor.

The Court found the expert testimony admissible under Daubert.  Importantly, the Court also noted that while Reactor was important to the government’s case, it was not the sole basis for the prosecution’s theories. Other evidence, such as materials found in Sterlingov’s possession, online forum posts, IP analyses, and traditional blockchain tracing, also supported the prosecution.

The Court’s decision has potentially significant implications for future cases involving cryptocurrency transactions and digital currency-related crimes. It establishes a precedent regarding the potential admissibility of evidence derived from such software tools and underscores the evolving challenges and complexities of investigating financial crimes in the digital age.

Continue Reading  Blockchain Analysis and Related Expert Testimony Admissible In Criminal Trial

The Financial Crimes Enforcement Network (“FinCEN”) recently released a Financial Trend Analysis (“FTA”) focusing on identity-related suspicious activity.  The FTA was issued pursuant to section 6206 of the Anti-Money Laundering Act of 2020, which requires FinCEN to periodically publish threat pattern and trend information derived from BSA filings.

FinCEN examined information from Bank Secrecy Act (“BSA”) filings submitted in the 2021 calendar year.  According to FinCEN’s analysis, 1.6 million “BSA filings” – presumably, the vast majority of which constituted Suspicious Activity Reports (“SARs”) – were identity-related, representing a total of $212 billion in suspicious activity.  These filings constituted 42% of filings for that year, thereby meaning that approximately 3.8 million SARs were filed in 2021.

The descriptions and the explanations in the FTA necessarily turn on how the SAR filings chose to describe the suspicious activity at issue.  This is presumably why most of the activity falls into the vague category of “general fraud” – because, apparently, this is the particular box on the SAR form which most of the SAR filers happened to choose.  However, and we will describe, the activity in fact animating the vast majority of these SARs is some form of identity theft.

Continue Reading  FinCEN Analysis Reveals $212 Billion in Identity-Related Suspicious Activity

Farewell to 2023, and welcome 2024.  As we do every year, let’s look back.

We highlight 10 of our most-read blog posts from 2023, which address many of the key issues we’ve examined during the past year: criminal money laundering enforcement; compliance risks with third-party fintech relationships; the scope of authority of bank regulators; sanctions

On October 23, the Financial Crimes Enforcement Network (“FinCEN”) published a notice of proposed rulemaking (“NPRM”) entitled Proposal of Special Measure Regarding Convertible Virtual Currency Mixing, as a Class of Transactions of Primary Money Laundering Concern.  Section 311 of the Patriot Act, codified at 31 U.S.C. § 5318A (“Section 311”), grants the Secretary of the Treasury authority – which has been delegated to FinCEN – to require domestic financial institutions and agencies to take certain “special measures” if FinCEN finds that reasonable grounds exist for concluding that one or more classes of transactions within or involving a jurisdiction outside of the United States is of “primary money laundering concern.” 

In this NPRM, FinCEN proposes to designate under Section 311 all convertible virtual currency (“CVC”) mixing transactions, as defined by the NPRM.  This designation would require imposing reporting and recordkeeping requirements upon covered financial institutions (“FIs”) regarding transactions occurring by, through, or to a FI when the FI “knows, suspects, or has reason to suspect” that the transaction involves CVC mixing.

The NPRM is complicated and raises complex questions.  We only summarize here, and note selected issues.  Comments are due on January 22, 2024.  FinCEN can expect many comments.

Continue Reading  FinCEN Proposes to Require Recordkeeping and Reporting for CVC Mixing Transactions

Complex Civil and Criminal Cases Converge

On August 17, 2023, Judge Robert Pitman of the federal district court for the Western District of Texas issued an Order granting summary judgment for the U.S. Treasury Department (“Treasury”) in a lawsuit brought by six individuals, and denying the cross-motion for summary judgment filed by the individuals. The lawsuit alleged that Treasury overstepped its authority by imposing sanctions on the coin mixing service Tornado Cash.  Deciding for the government, Judge Pitman determined that Tornado Cash is a “person” that may be designated by OFAC sanctions.  Specifically, the regulatory definition of “person” includes an “association,” and Tornado Cash is an “association” within its ordinary meaning.

Shortly thereafter, on August 23, 2023, the U.S. Department of Justice (“DOJ”) unsealed an indictment returned in the Southern District of New York against the alleged developers of Tornado Cash, Roman Storm (“Storm”), a naturalized citizen residing in the U.S., and Roman Semenov (“Semenov”), a Russian citizen.  The indictment charges them with conspiring to commit money laundering, operate an unlicensed money transmitting business, and commit sanctions violations involving the International Emergency Economic Powers Act, or IEEPA.  When the indictment was unsealed, Storm was arrested and then released pending trial.  Treasury simultaneously sanctioned Semenov, who remains outside of the U.S., adding him to OFAC’s Specially Designated Nationals and Blocked Persons (“SDN”) List.

These are very complicated cases raising complicated issues.  They are separate but obviously related.  As we will discuss, the factual and legal issues tend to blend together, and how a party characterizes an issue says a lot about their desired outcome:  has the government taken incoherent action against a technology, or has it pursued a group of people attempting to hide behind tech?

Continue Reading  All Roads Lead to Roman: Alleged Tornado Cash Co-Founders Roman Storm Arrested and Roman Semenov Sanctioned, Days After Treasury Defeats Lawsuit Challenging OFAC

But Court Gives Turkish Bank Another Chance to Avoid Charges Under Common-Law Sovereign Immunity

On April 19, 2023, the United States Supreme Court issued a highly-anticipated decision in the case of Turkiye Halk Bankasi A.S., aka Halkbank v. United States.  The court ruled that Turkish state-owned Halkbank remained subject to criminal prosecution in U.S. courts under the Foreign Sovereign Immunities Act (“FSIA”) for fraud, money laundering and sanctions-related charges related to the bank’s alleged participation in a multi-billion dollar scheme to evade U.S. sanctions involving Iran.  Specifically, in a seven to two decision, the Court held that the FSIA does not provide foreign states and their instrumentalities with immunity from U.S. criminal proceedings.  However, the Court remanded the case back to the Court of Appeals for the Second Circuit to determine whether Halkbank still can claim sovereign immunity under common law principles.  The Court’s opinion clearly extends beyond just financial institutions owned by foreign governments, and instead implicates any number of foreign state-owned entities.

Continue Reading  Supreme Court Rules Halkbank is Not Immune from Prosecution Under FSIA

The U.S. Department of Justice (“DOJ”) announced on March 15, 2023 that in a coordinated effort between U.S. Federal Bureau of Investigations, Europol, and German police, the darknet cryptocurrency mixing service ChipMixer has been shut down.  The operation involved the U.S. government’s court-authorized seizure of two domains that directed users to the ChipMixer service and one Github account.  In addition, German authorities seized $46 million in cryptocurrency, as well as ChipMixer’s back-end servers used to run the site. 

Further, the U.S. Attorney’s Office for the Eastern District of Pennsylvania filed a criminal complaint against ChipMixer’s suspected founder, Vietnamese national, Minh Quoc Nguyen (“Nguyen”), alleging that Nguyen openly flouted financial regulations and instructed users how to use ChipMixer to evade reporting requirements while obscuring his true name under a series of stolen and fictitious identities. The complaint also alleges that ChipMixer, described as a popular platform for laundering illicit funds gained from unlawful activities like drug trafficking, ransomware attacks (according to Europol, ransomware actors Zeppelin, SunCrypt, Mamba, Dharma, Lockbit have used ChipMixer), and payment card fraud, was used to launder more than $3 billion in cryptocurrency since 2017.  Nguyen has been charged with money laundering, operating an unlicensed money transmitting business, and identity theft in connection with the operation of ChipMixer. 

Continue Reading  Darkweb Cryptocurrency Mixer ChipMixer Shut Down for Allegedly Laundering $3 Billion Worth of Crypto

Farewell to 2022, and welcome 2023.  As we do every year, let’s look back.

We highlight 12 of our most-read blog posts from 2022, which address many of the key issues we’ve examined during the past year: the Corporate Transparency Act (“CTA”) and beneficial ownership reporting; sanctions — particularly sanctions involving Russia; cryptocurrency and digital

First Post in a Two-Post Series on the CTA Implementing Regulations

On September 30, 2022, the Financial Crimes Enforcement Network (“FinCEN”) issued its final rule, Beneficial Ownership Information Reporting Requirements (“Final Rule”), implementing the beneficial ownership reporting requirements of the Corporate Transparency Act (“CTA”). 

FinCEN’s September 29, 2022 press release is here; the Final Rule is here; and a summary “fact sheet” regarding the rule is here.  The Final Rule largely tracks the December 8, 2021 Notice of Proposed Rulemaking (the “Proposed Rule”), on which we blogged here and here

The Final Rule requires many corporations, limited liability companies, and other entities created in or registered to do business in the United States to report information (“BOI”) about their beneficial owners the persons who ultimately own and control the company — to FinCEN.  This information will be housed within the forthcoming Beneficial Ownership Secure System (“BOSS”), a non-public database under development by FinCEN. 

The Final Rule takes effect on January 1, 2024.  In a nutshell, (1) companies subject to the BOI reporting rules (“reporting companies”) created or registered before the effective date will have one year, until January 1, 2025, to file their initial reports of BOI and (2) reporting companies created or registered after the effective date will have 30 days after creation or registration to file their initial reports.  In addition to the initial filing obligation, reporting companies will have to file updates within 30 days of a relevant change in their BOI.  And, as we discuss, covered companies also will have to report their “company applicants,” which could include lawyers, accountants or other third-party professionals.

The Final Rule will have broad effect.  FinCEN estimates that over 32 million initial BOI reports will be filed in the first year of the Final Rule taking effect, and that approximately 5 million initial BOI reports and over 14 million updated reports will be filed in each subsequent year.  We summarize here the key provisions of the Final Rule.  In our next blog post, we will discuss the Final Rule’s broad definition of the “control” prong regarding who represents a “beneficial owner,” which will result in an expansion of the definition of “beneficial owner” under the existing Customer Due Diligence (“CDD”) rule applicable to banks and other financial institutions (“FIs”).

Continue Reading  FinCEN Issues Final Rule on Beneficial Ownership Reporting Requirements